topic Re: Move zone and policies between VSYS in General Topics

Move zone and policies between VSYS

licenselu — Fri, 22 Jun 2018 13:21:22 GMT

Hello,

One of our customer wants to implement VSYS. Currently, the current firewall is Checkpoint appliance (around 900 rules)..

The idea is to replicated the config from the Checkpoint to the PA with only one VSYS to avoid a big bang...

So I will create all zone (in the only one VSYS in the beginning) and policy between zone.

Until now, everything is OK...

The next phase will be to the divide the initial VSYS to 3 or 4 VSYS (only on routing table for all VSYS).

It seems it's not possible to move zone (and thus policies) between VSYS (interface/subinterface can be moved) when its' created...

So does it mean I need to recreate zone and policies in the new VSYS ?

PS: I known that the destination zone will change because the destination zone will be in another VSYS...

Any idea to eliminate the needs to recreate zone and policies and to avoid granular rulebase review everytime we add a new VSYS...

Regards,

Re: Move zone and policies between VSYS

BPry — Fri, 22 Jun 2018 18:47:47 GMT

@licenselu,

Because of the way that the firewall actually handles VSYS you can't actually move it between VSYS directly in the GUI; because that kind of ruins the whole point of VSYS being a totally seperate virtual System. What you can do, and what I would recommend in this situation, is moving the policies directly through the XML or the Migration Tool by simply cutting the code from one VSYS location and copying it the next.

Just a word of caution in how you are doing this currently; I've found companies that implement with the design of moving to a multi VSYS configuration once the firewall is already processing traffic, it never actually happens. I would highly recommend pushing them to allow you to do the configuration of the multiple VSYS before the firewall is actually in production. This design simply duplicates a lot of work regardless of how you actually make this change once it's been put in place.

Re: Move zone and policies between VSYS

licenselu — Mon, 25 Jun 2018 06:18:22 GMT

Hello,

First, thanks a lot for your reply.

What's do you mean by 'it never actually happens' ??

Is it not enough to reboot the firewall (after moving the interface to the correct VSYS') ??

In my case, a maintenance window will be available to perform such kind of operations...

Regards,

Re: Move zone and policies between VSYS

BPry — Mon, 25 Jun 2018 13:59:11 GMT

@licenselu,

What I meant was that when companies attempt to setup the configuration with a single VSYS to get everything functional with minimal changes with the intent to eventually switch to a multi-VSYS setup, they hardly ever actually make it to a multi-VSYS deployment. Once you have a working system in production moving to a multi-VSYS deployment is the steps to move the configuration over to a multi-VSYS and update the routing and security policies appropriately is a lot of work, with a large possibility of downtime as you work through any issues that may arise.